Reputation: 13
How to compute a digital signature on a Smartcard?
So I'm pretty new to smartcards and I'm trying to compute a signature over some random bytes. The operating system on the card is cardos v4.3 . I am able to use the PKCS#15 Format and the ISO 7816 standard.
My workflow to compute the signature is as follows:
select SigG application APDU= 00 A4 01 0C 02 1F FF 00. status = 90 00
verify Sig. Pin in the current DF APDU= 00 20 00 81 08 31 32 33 34 35 36 37 38 00 status = 90 00
trying to sign 40 random Bytes with PSO_CDS APDU= 00 2A 9E 9A 08 01 02 03 04 05 06 07 08 .... 28(hex) 00 status = 6A88
The smartcard is in a freshly reset.
Am I missing a command or a prerequisite I need to satisfy or something else? What is the general workflow when signing a hash which was computed with for example openssl?
I know that for PSO_CDS there must be a Current Security Environment where a valid PSO_PrivateKey must be specified, but I don't understand how to incorporate this into the commandflow.
I am planning to create a c++-function which will get a hash, compute the signature with the smartcard and then return the signature.
Upvotes: 1
Views: 936
Answers (2)
Reputation: 13
So, I was able to compute a signature. Because PSO_CDS doesn't really worked for me, I did it this way:
Select the SigG Application/DF.
Made an manage security environment set (mse set), where I specified the CON component (which is the PSO Private Key in the Application) off the current security environment.
verified the pin with the Pin object in the SigG Application.
Computed the signature with PSO_DEC. When using PSO_DEC you need to provide an extended apdu, because the command field has to contain a padded 256 Byte hashvalue and with normal apdu's it is only possible to have an command field up to 255 Bytes on my card.
Upvotes: 0
Reputation: 5333
The problem is, that the card does not know, which key to use. This is due to the correctly observed lack of a meaningful current security environment. Since Perform Security Environment (short: PSO) has no standardized means of specifying the key to use, this has to be set-up earlier by providing the security environment with that information, e. g. via Manage Security Environment (see below).
The easiest way for providing the key reference is, to create a persistent Security Environment with the ID 1 in the same DF as your key, since this is loaded (or restored) automatically during SELECT (FILE) of the DF, otherwise you have to send Manage Security Environment (short MSE) in Restore mode manually or in SET mode (volatile for this session). (Whichever Security Environment you use, it has to contain the reference to a private key within digital signature template.) Whether you do the MSE RESTORE directly after selection of the DF, before the PIN verification or at any moment in between is your choice, but it has to be active when sending the PSO command.
40 bytes seems not to be the length opf a typical hash value, so take care to set up the algorithm properly to include hashing.
Upvotes: 1
Related Questions
- (Smart Card) APDU Command to sign
- How to perform Terminal Authentication on smart card?
- ISO 7816 How to Use Calculate Signature Command APDU Multiple Times
- Tachograph smart card .ddd file signature
- Digital signatures with inserted private key to smart card
- How to make a digital signature in a web application (JavaScript) using a smartcard?
- Verifying Signature in Smart Card
- Sign file using smartcardio
- Sign file with public and private keys stored on smart card
- Smart Cards Development